Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-5888:CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine

Authentication Service ,  

31 May,16 at 05:03 PM

Applies to: All Centrify Direct Control versions.


When  an AIX or Linux server with Cyberark is joined to the AD domain, CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine. 
It gets mangled to ’s?u’. This only happens after the machine is joined to AD via adclient. 


CPM ( Central Password Manager )  is required to mimic what Cyber Ark does. Without using a CPM, it will be almost impossible to imitate CPM functionality.
CyberArk uses "expect" to interact with the servers, and the expect script gets confused when presented with numerous "#" characters, and seems to think it's seeing a root prompt when it's not.
The CyberArk Group Policy is used to force a "banner", telling people to remember to use their AD passwords, This banner included a border of octothorpes.
This confuses Cyberark's expect script, but because this is setup only on the Centrify connected servers, the issue is only seen on Centrified systems.

The root cause of the issue was the unique login banner text on Centrify-enabled systems.

Change the Group Policy to not use the "###" border in the banner.

This will allow Cyberark's expect script for Central Password Manager to function correctly.